Google Chromebook's auto-update scheme will be hard sell

Consumers may love that Google's Chromebooks will automatically deliver security updates, but company administrators will resist it tooth and nail, experts said today.

The notebook PCs, which will initially come from Samsung and Acer, and go on sale next month, will feature Google's Chrome OS and run only online applications.

Google is pitching the new machines at consumers, businesses and schools, with the latter two groups able to buy them on a subscription basis, starting at $28 per business user and $20 per school and public sector user.

"It's software and hardware as a service," Sundar Pichai, Google's senior vice president for Chrome, said Wednesday as the company announced the Chromebooks.

Like Google's Chrome browser, Chrome OS will deliver updates -- Google refuses to call them patches -- in the background, without asking or notifying users. And while Google will provide a Web-based management console to IT administrators, that console does not let them manage Chrome OS updates, or modify how they're delivered.

That's going to be a hard sell, said several security analysts and researchers.

"This does concern me," said Jason Miller, the data and security team manager for Shavlik Technologies. "Good patch management policy is to test before they're deployed. But here you don't get a say. And that leaves you at the mercy of Google."

"This is never going to fly for IT," said Jeremiah Grossman, CTO of WhiteHat Security

That's because administrators are responsible for not only the security of their networks, but also for its smooth operation. If a patch in a Chrome OS update breaks compatibility with an existing Web application, or even worse, cripples the machine, it's their neck on the line, not Google's.

"Administrators are going to want control over updates," said Miller. "If these machines go down, it's their job."

On other platforms -- notably Windows, which powers an overwhelming majority of enterprise computers -- administrators have that control. Through software such as Windows Server Update Services (WSUS), IT staffers can decide which machines are updated, and delay updates until they've had a chance to test the patches' impact on a limited number of PCs.

Chrome OS's automatic updating allows none of that. In fact, Google won't warn administrators that an update is coming, a fact it makes clear in an online FAQ.

"Google does not pre-announce Chrome OS updates before they are rolled out," the FAQ states.

Updates for the Chrome browser are delivered the same way: without warning.

Not surprisingly, Google sees the automatic updates as a win. "When a user turns it on, a Chromebook automatically upgrades itself with the latest features and fixes, so Chromebooks are always running the latest and most secure versions," the company's FAQ says.

"Taking it out of administrators' hands will save them time and money," Miller acknowledged. "But now you're assuming that [Chromebooks] are up to date, which may not be the case. Take Adobe, for example. I've seen its update notifications [for Reader and Flash] fail time after time after time."

The result: A potential nightmare for businesses.

"No operating system is perfect," said Raiu. "Even the best have stability issues, compatibility issues."

John Pescatore, an analyst with Gartner who specializes in security issues, said problems are unavoidable with silent updates. "Now, a [Chromebook] doesn't run local apps, but there will likely be JavaScript or in the future, HTML 5-type apps that will break with updates," said Pescatore. "That is inevitable. A bad update will impact users directly. [IT] cannot QA updates beforehand."

If Pescatore's right, someone's head will roll. And it won't be Google's, because management will point fingers at the closest target: IT.

"One 'oops' could result in a major problem for everybody," said Miller.

Consumers, however, are another story for Chrome OS and its auto-updates, most experts said. Taking control out of the hands of those users is a smart idea.

"For consumers, silent updates is a godsend," said Grossman, who noted the success of Google's Chrome browser, which installs updates in the background, and the fact that Chrome OS is essentially that browser atop a customized Linux operating system.

"It's difficult to pop Chrome," said Grossman, referring to that browser's security reputation. "It's difficult to pop that OS. So Google has shut down the major attack vectors that the Windows world is dealing with."

And in the end, IT resistance to silent updates may be moot.

"I think that really is the way of the future. It is pretty much how it works in the smartphone and cellphone world," said Pescatore. "Enterprises will just have less control over the images in the future. And security strategies will have to evolve to deal with it."

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.